pr-cluster
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow relies on extracting strings from Pull Request titles, keywords, and file paths, which are then interpolated directly into
gh apishell commands. Because this data comes from untrusted external sources, it could be crafted to include shell metacharacters (e.g.,;,&,|), potentially leading to unauthorized command execution in the agent's environment. - [PROMPT_INJECTION]: The skill has a high surface area for indirect prompt injection (Category 8) as it processes PR bodies and comments to perform scoring and duplicate detection. An attacker could embed malicious instructions in a PR to manipulate the agent's logic or conclusions.
- Ingestion points: PR metadata, bodies, and comments are fetched from GitHub via the
gh apitool as described in Phase 1 and Phase 4 of the workflow. - Boundary markers: The skill lacks explicit delimiters or instructions to treat external PR data as untrusted, increasing the risk that the agent will follow instructions embedded within that data.
- Capability inventory: The agent is authorized to use
gh api,gh pr,gh search,git log, andgit show, providing a significant footprint for potential exploitation. - Sanitization: There are no defined steps for sanitizing or validating the strings extracted from GitHub before they are used in shell command templates or logical evaluations.
Audit Metadata